Certificates
Captive Portal *SSL Decryption *Global Protect *Web GUI Mgmt If it is used for SSL decryption, it needs to be a CA certificate. But if it's used for GlobalProtect, Captive Portal, or the Web GUI the CA option is not needed. After generating the certificate, click the certificate name and specify the certificate type. *( Forward trust, Forward untrust, Trusted Root CA, SSL Exclude, or Certificate for secure Web GUI) 'TO GENERATE:' Device -> Certificate Management -> Certificate ->''' Device Certificate''' (tab) Certificate Name: *Case sensitive. Up to 31 characters. Accepts only letters, numbers, spaces, hyphens, and underscores. Common Name: *Enter the IP address or FQDN that will appear on the certificate. Signed By: *List of CA certificates that were generated on the firewall. The selected cert can be used to sign the generating cert. Certificate Authority: *Mark this IF it's being used to sign other certificates on the firewall. OCSP Responder: *Device -> Certificate management -> OCSP Responder. *A look up will be performed for the host name of the IP address to generate a OCSP Responder URL, which will then appear in this drop-down. Number of Bits: ''(Key length for the certificate) (RSA) *512 (not recommended) *1024 (the minmum) *2048 *3072 (most secure key) ''Digest: *'MD5 '= (message digest) = 128-bit hash of a message of any length. Segments the message into 512-bit bloocks and then into sixteen 32-bit words. After padding, four 32-bit variables are initialized. **Uses a secure method to compress the file and generate a computed output of a specified number of bits. Developed by Ronald L. Rivest. *'sha1' = (secure has algorithm) = Creates message digests 160-bits long that can be used by the Digital Signature Algorithms (DSA), which can compute the signature of the message. **Modeled after MD4 **Works in Block Mode. Separates the data into words first, and then gorups the words into blocks. The words are 32-bit strings converted to hex, grouped together as 16 words, making up 512-bit blocks. Once a message has been formatted for processing, the actual hash can be generated. *'sha256' = accepts inputs of less than 2^64 bits and reduces that input to a has of 256 bits. Uses 32-bit words and 512-bit blocks. Padding of 0s added until the entire message is a multiple of 512. **Uses sixty-four 32-bit words, eight working variables, and results in hash value of eight 32-bit words = 256-bits. *'sha384' = Uses 64-bit words to produce a 384-bit hash. *'sha512' = Handles larger set of data. Accepts 2^128-1 bits of input, which is padded until it has several blocks of data at 1024-bit blocks. It uses 64-bit words. Eight 64-bit words to produce 512-bit hash. Expiration Days: (how long certificate will be valid) *Shorter lifetimes limit the ability of attackers to crack them, but longer lifetimes lower system overhead. *If a ''Validity Period in GlobalProtect Portal Satellite is configured, that value will override this. ''Certificate Attributes: *Country, State, Locality, Organization, Department, Email, Host Name, IP, and Alt Email ---- 'SECURITY CERTIFICATE TYPE:' *'Forward Trust' - This certificate is presented to clients during decryption when the server to which they are connecting is signed by a CA in the firewall's trusted CA. **If a self-signed certificate is used for forward proxy decryption, you must click the certificate name in the Certificate page and select the Forward Trust Certificate. *'Forward Untrust' - This certificate is presented to clients during decryption when the server to which they are connecting is signed by a CA that is NOT in the firewall's trusted CA list. *'Trusted Root CA' - Marked as a trusted CA for forward decryption purposes. *'SSL Exclude' - This certificate excludes connections if they are encountered during SSL forward proxy decryption. *'Certificate for Secure Web GUI' - Authenticates users for accessing the firewalls GUI. If this is checked the firewall will use this certificate for all future web-browsing management sessions following the next commit. Device -> Certificate Management -> Certificate -> Default Trust Certificate Authorities (tab) This page controls the certificate authorities (CAs) that the firewall will trust. Device -> Certificate Management -> Certificate Profile Certificate Profiles can be attached to: *Administrator Login (on the Setup page) *GlobalProtect Gateways for authentication *SSL-VPN login for use in authentication *Captive Portal CRL and OCSP responders: Certificate Revocation List (CRL) '''and '''Online Certificate Status Protocol (OCSP) each maintains a list of certificates which hvae been revoked by the Certificate Authority. If the private key assocated with a certificate is lost or exposed, than any authentication using that certificate should be denied. Or if someone leaves the company or changes names, their certificates are replaced and the old certs are marked as invalid. The purpose of CRL or OCSP is to maintain the lists of certs which are valid but have been revoked. Those lists are cached on the Management and Data plane on the firewall. 'HOW TO CONFIGURE AN OCSP RESPONDER:' *https://live.paloaltonetworks.com/docs/DOC-5837 TO VIEW THE CRL/OCSP CACHE: > debug sslmgr view crl > debug sslmgr view ocsp all | TO DELETE CRL/OCSP CACHE: (on management plane) > debug sslmgr delete crl all | > debug sslmgr delete ocsp all | TO DELETE CRL/OCSP CACHE: (on data plane) > debug dataplane reset ssl-decrypt certificate-status TO CHECK CRL and OCSP STATISTICS: > debug sslmgr statistics Tech Doc: 'HOW TO INSTALL A CHAINED CERT SIGNED BY A PUBLIC CA:' *https://live.paloaltonetworks.com/docs/DOC-4289 'HOW TO IMPORT THE FIREWALL'S CERTIFICATE IN INTERNET EXPLORE:' *https://live.paloaltonetworks.com/docs/DOC-3599 'HOW TO CONFIGURE AN OCSP RESPONDER:' *https://live.paloaltonetworks.com/docs/DOC-5837